iptables error: The state match is obsolete. Use conntrack i

Message

Skippy204 · Post by **Skippy204** » Sun Oct 21, 2012 10:56 pm

After upgrading to iptables 1.4.16.2 I started getting this error.

 root # rc-config start iptables
Starting init script
 * Loading iptables state and starting firewall ...
WARNING: The state match is obsolete. Use conntrack instead.
iptables-restore v1.4.16.2: state: option "--state" must be specified

Error occurred at line: 24
Try `iptables-restore -h' or 'iptables-restore --help' for more informati [ !! ]
 * ERROR: iptables failed to start

I've done some googleing and all I've come up with is this - which seems to indicate this is a bug. But I hardly know enough about iptables to know if it's bug or my mistake.

https://bugs.launchpad.net/ufw/+bug/1065297

Can anyone help me out? Thanks.
Skippy

PaulBredbury · Post by **PaulBredbury** » Sun Oct 21, 2012 11:09 pm

Instead of e.g.:

Code: Select all

-m state --state RELATED

Use:

Code: Select all

-m conntrack --ctstate RELATED

Skippy204 · Post by **Skippy204** » Sat Oct 27, 2012 5:34 pm

Thanks - I'm still having trouble applying this. Please tell me what I'm doing wrong, 'cause I'm flying mostly blind here.

In /var/lib/iptables/rules.working I'm changing

Code: Select all

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

to

Code: Select all

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

and then

Code: Select all

 root # rc-config start iptables
Starting init script
 * Caching service dependencies ...                                                                                        [ ok ]
 * Loading iptables state and starting firewall ...
WARNING: The state match is obsolete. Use conntrack instead.
iptables-restore v1.4.16.3: state: option "--state" must be specified

Error occurred at line: 24
Try `iptables-restore -h' or 'iptables-restore --help' for more information.                                               [ !! ]
 * ERROR: iptables failed to start

I'm still wrong about something . . .

Post by Hu » Sat Oct 27, 2012 5:39 pm

Unless you have changed your /etc/conf.d/iptables file, that is the wrong filename to edit. The default here is /var/lib/iptables/rules-save.

Did you change all uses of state? Does your kernel have conntrack built? Please post the entire modified rules file.

Skippy204 · Post by **Skippy204** » Sat Oct 27, 2012 5:50 pm

Hi, thanks for responding.

Code: Select all

 root # cat /var/lib/iptables/rules-save 
# Generated by iptables-save v1.4.16.2 on Thu Oct 11 17:39:04 2012
*nat
:PREROUTING ACCEPT [115774:17577973]
:INPUT ACCEPT [1:28]
:OUTPUT ACCEPT [1429994:98812650]
:POSTROUTING ACCEPT [1429994:98812650]
COMMIT
# Completed on Thu Oct 11 17:39:04 2012
# Generated by iptables-save v1.4.16.2 on Thu Oct 11 17:39:04 2012
*mangle
:PREROUTING ACCEPT [228134025:307554773508]
:INPUT ACCEPT [228133750:307554742848]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [135710476:20656815767]
:POSTROUTING ACCEPT [135931198:20687428864]
COMMIT
# Completed on Thu Oct 11 17:39:04 2012
# Generated by iptables-save v1.4.16.2 on Thu Oct 11 17:39:04 2012
*filter
:INPUT DROP [347589:48808777]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [135631043:20649408445]
[193304:10478848] -A INPUT -i lo -j ACCEPT
[227495532:307389083399] -A INPUT -m state -j ACCEPT
COMMIT
# Completed on Thu Oct 11 17:39:04 2012

Code: Select all

 root # cat /var/lib/iptables/rules.working
# Generated by iptables-save v1.4.12.1 on Fri Oct 28 14:03:14 2011
*nat
:PREROUTING ACCEPT [2:604]
:INPUT ACCEPT [1:28]
:OUTPUT ACCEPT [4507:294969]
:POSTROUTING ACCEPT [4507:294969]
COMMIT
# Completed on Fri Oct 28 14:03:14 2011
# Generated by iptables-save v1.4.12.1 on Fri Oct 28 14:03:14 2011
*mangle
:PREROUTING ACCEPT [102988:113880041]
:INPUT ACCEPT [102987:113879465]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [80124:7497553]
:POSTROUTING ACCEPT [80524:7553153]
COMMIT
# Completed on Fri Oct 28 14:03:14 2011
# Generated by iptables-save v1.4.12.1 on Fri Oct 28 14:03:14 2011
*filter
:INPUT DROP [3:747]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [691:90231]
[0:0] -A INPUT -i lo -j ACCEPT
[5659:7506894] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Fri Oct 28 14:03:14 2011

I have not modified /etc/conf.d/iptables.

Regarding the kernel, if NETFILTER_XT_MATCH_CONNTRACK is the correct module to build, then yes.

Post by Hu » Sat Oct 27, 2012 8:41 pm

According to your output, you modified a file that is not used at all. You must modify the file which will be read by the init script. This file defaults to rules-save, which you have not modified.

Post by **toralf** » Sat Oct 27, 2012 8:51 pm

PaulBredbury wrote:Instead of e.g.:
Code: Select all
-m state --state RELATED
Use:
Code: Select all
-m conntrack --ctstate RELATED

Hhm, do I have to adapt that change to all of these lines

Code: Select all

tfoerste@n22 ~ $ sudo grep state /etc/kmyfirewall/kmyfirewall.sh
        $MOD ipt_state 
        $IPT -t filter -A INPUT -p tcp --destination-port 22 --match state --state NEW         --match recent --name FAILED_SSH_LOGIN --set
        $IPT -t filter -A INPUT -p tcp --destination-port 22 --match state --state ESTABLISHED --match recent --name FAILED_SSH_LOGIN --update --seconds 60 --hitcount 2 -j REJECT --reject-with tcp-reset
        $IPT -t filter -A INPUT --match state --state RELATED,ESTABLISHED -j ACCEPT
        $IPT -t filter -A INPUT --match state --state NEW --match recent --name MAX_CONN_PER_IP --set
        $IPT -t filter -A INPUT --match state --state NEW --match recent --name MAX_CONN_PER_IP --update --seconds 60 --hitcount 11 -j DROP
        $IPT -t filter -A OUTPUT --match state --state RELATED,ESTABLISHED -j ACCEPT

if >=iptables-1.4.16.x becomes stable ?

Skippy204 · Post by **Skippy204** » Sat Oct 27, 2012 9:08 pm

Well that works. However it works by totally cutting off all my internet connection.

Definitely secure.

No so useful.

Code: Select all

 root # cat rules-save
# Generated by iptables-save v1.4.16.3 on Sat Oct 27 15:05:40 2012
*nat
:PREROUTING ACCEPT [115774:17577973]
:INPUT ACCEPT [1:28]
:OUTPUT ACCEPT [1430136:98822605]
:POSTROUTING ACCEPT [1430136:98822605]
COMMIT
# Completed on Sat Oct 27 15:05:40 2012
# Generated by iptables-save v1.4.16.3 on Sat Oct 27 15:05:40 2012
*mangle
:PREROUTING ACCEPT [228134830:307554866638]
:INPUT ACCEPT [228134555:307554835978]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [135710876:20656863052]
:POSTROUTING ACCEPT [135931612:20687478095]
COMMIT
# Completed on Sat Oct 27 15:05:40 2012
# Generated by iptables-save v1.4.16.3 on Sat Oct 27 15:05:40 2012
*filter
:INPUT DROP [348394:48901907]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [135631443:20649455730]
[193304:10478848] -A INPUT -i lo -j ACCEPT
[227495532:307389083399] -A INPUT -m conntrack --ctstate RELATED -j ACCEPT
COMMIT

Ant P. · Post by **Ant P.** » Sat Oct 27, 2012 9:36 pm

Well since you changed it to not allow traffic from established connections, I'm not sure what else you expected to happen...

PaulBredbury · Post by **PaulBredbury** » Sun Oct 28, 2012 1:03 am

Skippy204 wrote:-A INPUT -m conntrack --ctstate RELATED -j ACCEPT

Your previous rule was:

Code: Select all

-A INPUT -m state -j ACCEPT

Since it's not actually checking a state, that "-m state" was useless. And the change you've made is totally wrong.

Change it to:

Code: Select all

-A INPUT -j ACCEPT

Post by Hu » Sun Oct 28, 2012 4:39 pm

toralf wrote:

Code: Select all

tfoerste@n22 ~ $ sudo grep state /etc/kmyfirewall/kmyfirewall.sh
        $MOD ipt_state 
        $IPT -t filter -A INPUT -p tcp --destination-port 22 --match state --state NEW         --match recent --name FAILED_SSH_LOGIN --set
        $IPT -t filter -A INPUT -p tcp --destination-port 22 --match state --state ESTABLISHED --match recent --name FAILED_SSH_LOGIN --update --seconds 60 --hitcount 2 -j REJECT --reject-with tcp-reset
        $IPT -t filter -A INPUT --match state --state RELATED,ESTABLISHED -j ACCEPT
        $IPT -t filter -A INPUT --match state --state NEW --match recent --name MAX_CONN_PER_IP --set
        $IPT -t filter -A INPUT --match state --state NEW --match recent --name MAX_CONN_PER_IP --update --seconds 60 --hitcount 11 -j DROP
        $IPT -t filter -A OUTPUT --match state --state RELATED,ESTABLISHED -j ACCEPT

if >=iptables-1.4.16.x becomes stable ?

Yes, but if that script is generated by some other tool, updating the tool should handle that for you.

OP: PaulBredbury is correct. He also brings up an interesting problem. You have been using a completely open (non-filtering) configuration for some time, since your rules-save specified an open configuration. The rules.working file, which was not used and therefore not working, specified a filtering configuration. The change he suggests is correct to maintain your current behavior of accepting all traffic.

Post by **toralf** » Sun Oct 28, 2012 4:43 pm

Hu wrote:Yes, but if that script is generated by some other tool, updating the tool should handle that for you.

Sure - but I used KMyFirewall eons before just for the initial generation and after that I'm using vim to update it

Skippy204 · Post by **Skippy204** » Sat Nov 10, 2012 5:12 pm

Howdy, the post from PaulBredbury solved it. Iptablels now starts up.

Regarding the fact that I have no actual filtering rules - thank you for pointing that out. My iptalbes knowledge seriously lacks. Can anyone suggest a good GUI that will help me configure this or a manual that is written for idiots?

Thanks very much for the help.

PaulBredbury · Post by **PaulBredbury** » Sat Nov 10, 2012 7:45 pm

The Arch wiki seems like a good intro.

Element Dave · Post by **Element Dave** » Sat Nov 10, 2012 8:05 pm

Skippy204 wrote:Howdy, the post from PaulBredbury solved it. Iptablels now starts up.

Regarding the fact that I have no actual filtering rules - thank you for pointing that out. My iptalbes knowledge seriously lacks. Can anyone suggest a good GUI that will help me configure this or a manual that is written for idiots?

Thanks very much for the help.

The Arch Linux wiki has a page that you might find helpful. From what it looks like you're trying to accomplish, you can probably skip everything after section 2.4 ("The INPUT Chain").

https://wiki.archlinux.org/index.php/Si ... l_Firewall

khayyam · Post by **khayyam** » Sat Nov 10, 2012 9:01 pm

Skippy204 wrote:Can anyone suggest a good GUI that will help me configure this or a manual that is written for idiots?

Skippy204 ... there is a direct corrolation between tools that shield the user from understanding the internals of a given system, and users not understanding the internals of a given system. Skill and familiarity are aquired by "use", and there is no shortcut that doesn't infact circumvent "use", and so the development of skill.

By far the best tutorial on iptables is Oskar Andreasson's. It doesn't make the assumption of prior knowledege (and so is accessable) but is detailed and broad in scope. That said, the subject is not one that can be grasped in a new-york minute, but as the saying goes, its better to be at the bottom of a ladder you want to climb than half way up one you don't.

best ... khay

Skippy204 · Post by **Skippy204** » Thu Nov 15, 2012 3:38 pm

Thank you all for your suggestions.

I will check them out.

Post by **toralf** » Thu Nov 22, 2012 6:15 pm

Hhm, the proposed change doesn't work here :

Code: Select all

n22 /etc/kmyfirewall # diff kmyfirewall.sh kmyfirewall.sh_old
42,43c42,43                                                                                                                                                           
<       $IPT -t filter -A INPUT -p tcp --destination-port 22 --match conntrack --ctstate NEW         --match recent --name FAILED_SSH_LOGIN --set                     
<       $IPT -t filter -A INPUT -p tcp --destination-port 22 --match conntrack --ctstate ESTABLISHED --match recent --name FAILED_SSH_LOGIN --update --seconds 60 --hitcount 2 -j REJECT --reject-with tcp-reset                                                                                                                            
---                                                                                                                                                                   
>       $IPT -t filter -A INPUT -p tcp --destination-port 22 --match state --state NEW         --match recent --name FAILED_SSH_LOGIN --set                           
>       $IPT -t filter -A INPUT -p tcp --destination-port 22 --match state --state ESTABLISHED --match recent --name FAILED_SSH_LOGIN --update --seconds 60 --hitcount 2 -j REJECT --reject-with tcp-reset                                                                                                                                  
47c47                                                                                                                                                                 
<       $IPT -t filter -A INPUT --match conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT                                                                             
---                                                                                                                                                                   
>       $IPT -t filter -A INPUT --match state --state RELATED,ESTABLISHED -j ACCEPT                                                                                   
51,52c51,52                                                                                                                                                           
<       $IPT -t filter -A INPUT --match conntrack --ctstate NEW --match recent --name MAX_CONN_PER_IP --set                                                           
<       $IPT -t filter -A INPUT --match conntrack --ctstate NEW --match recent --name MAX_CONN_PER_IP --update --seconds 60 --hitcount 11 -j DROP                     
---                                                                                                                                                                   
>       $IPT -t filter -A INPUT --match state --state NEW --match recent --name MAX_CONN_PER_IP --set                                                                 
>       $IPT -t filter -A INPUT --match state --state NEW --match recent --name MAX_CONN_PER_IP --update --seconds 60 --hitcount 11 -j DROP                           
138c138
<       $IPT -t filter -A OUTPUT --match conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
---
>       $IPT -t filter -A OUTPUT --match state --state RELATED,ESTABLISHED -j ACCEPT

The old works :

Code: Select all

n22 /etc/kmyfirewall # ./kmyfirewall.sh_old restart

but the new not

Code: Select all

n22 /etc/kmyfirewall # ./kmyfirewall.sh restart
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.

Post by Hu » Fri Nov 23, 2012 12:13 am

Do you have the appropriate Netfilter features configured in your kernel? It is possible to build a kernel with state and without conntrack.

Post by **toralf** » Fri Nov 23, 2012 8:47 am

Hu wrote:Do you have the appropriate Netfilter features configured in your kernel? It is possible to build a kernel with state and without conntrack.

ah maybe, here I do have a /proc/config.gz : http://bpaste.net/show/59865/ /me now wonders which have to be added too .

aCOSwt · Post by **aCOSwt** » Fri Nov 23, 2012 9:18 am

@toralf : What about this one :

toralf's config wrote:# CONFIG_NETFILTER_XT_MATCH_CONNTRACK is not set

I'd definitely set it.

Post by **toralf** » Fri Nov 23, 2012 9:49 am

aCOSwt wrote:@toralf : What about this one :
toralf's config wrote:# CONFIG_NETFILTER_XT_MATCH_CONNTRACK is not set
I'd definitely set it.

ofc - thx
So CONFIG_NETFILTER_XT_MATCH_STATE is gone in favor of CONFIG_NETFILTER_XT_MATCH_CONNTRACK.

Yminus · Post by **Yminus** » Mon Dec 10, 2012 10:23 am

I have never touched any iptables configuration assuming it comes with reasonable defaults. And iptables has been installed as dependency of those:

Code: Select all

 * These packages depend on iptables:
app-emulation/libvirt-0.10.2-r3 (virt-network ? >=net-firewall/iptables-1.4.10)
net-misc/connman-1.0-r1 (>=net-firewall/iptables-1.4.8)
sys-apps/iproute2-3.3.0 (iptables ? >=net-firewall/iptables-1.4.5)

But now I learn that an upgrade broke this configuration. Shouldn't the upgrade ensure that the configuration is sane if I never touched it myself?

aCOSwt · Post by **aCOSwt** » Mon Dec 10, 2012 10:57 am

Yminus wrote:I have never touched any iptables configuration assuming it comes with reasonable defaults... And iptables has been installed as dependency

So this means that you did not write any rules / did not add the program to rc... correct ?
So iptables are neither configured nor running on your system.
For running as a firewall for example I mean.

So the upgrade did not actually break anything in your system.

BTW, just fearing something. I might completely misunderstand what you mean but... do you mean you believed your system protected because supposed to be running some automagic-default-safe firewall ?

Yminus · Post by **Yminus** » Mon Dec 10, 2012 11:40 am

aCOSwt wrote:So this means that you did not write any rules / did not add the program to rc... correct ?

I did not write any rules. I think that libvirt is shipped with some rules needed for virtual networking. iptables is in runlevel default, but I can't remember adding it (I use this system for more than 4 years now)

aCOSwt wrote:So iptables are neither configured nor running on your system.
Well,
For running as a firewall for example I mean.

I never set it up to be running as a firewall. I think libvirt needs it for bridging.

aCOSwt wrote:So the upgrade did not actually break anything in your system.

iptbales fails to start. Maybe I just remove it from all runlevels and see if this breaks something.

aCOSwt wrote:BTW, just fearing something. I might completely misunderstand what you mean but... do you mean you believed your system protected because supposed to be running some automagic-default-safe firewall ?

I always thought a Linux system does not need a firewall if there are no services listening for external connections? My apache only accepts connections from localhost (I need it for personal dokuwiki), my sshd is only accepting certain ssh-keys and no passwords,... . Do I need a firewall on a Linux laptop?